Try running gpresult /R
for RSoP summary or gpresult /V
for verbose output from the command line as an administrator on the computer. It should output something like this:
C:\Windows\system32>gpresult /V
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 2/10/2010 at 10:27:41 AM
RSOP data for OQMSupport01\- on OQMSUPPORT01 : Logging Mode
------------------------------------------------------------
OS Configuration: Standalone Workstation
OS Version: 6.1.7600
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\-
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
Last time Group Policy was applied: 2/10/2010 at 10:16:09 AM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: OQMSUPPORT01
Domain Type: <Local Computer>
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
-------------------------------------------------------
System Mandatory Level
Everyone
Debugger Users
IIS_WPG
SQLServer2005MSSQLUser$OQMSUPPORT01$ACT7
SQLServerMSSQLServerADHelperUser$OQMSUPPORT01
BUILTIN\Users
NT AUTHORITY\SERVICE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
BDESVC
BITS
CertPropSvc
EapHost
hkmsvc
IKEEXT
iphlpsvc
LanmanServer
MMCSS
MSiSCSI
RasAuto
RasMan
RemoteAccess
Schedule
SCPolicySvc
SENS
SessionEnv
SharedAccess
ShellHWDetection
wercplsupport
Winmgmt
wuauserv
LOCAL
BUILTIN\Administrators
USER SETTINGS
--------------
Last time Group Policy was applied: 2/10/2010 at 10:00:51 AM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: OQMSupport01
Domain Type: <Local Computer>
The user is a part of the following security groups
---------------------------------------------------
None
Everyone
Debugger Users
HomeUsers
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
NTLM Authentication
High Mandatory Level
The user has the following security privileges
----------------------------------------------
Bypass traverse checking
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Adjust memory quotas for a process
Remove computer from docking station
Perform volume maintenance tasks
Impersonate a client after authentication
Create global objects
Change the time zone
Create symbolic links
Increase a process working set
Or if you are logged in to a Windows Server OS with the ActiveDirectory PowerShell Module (or Client OS with the Remote Server Administration Tools) try the Get-ADPrincipalGroupMembership
cmdlet:
C:\Users\username\Documents> Get-ADPrincipalGroupMembership username | Select name
name
----
Domain Users
All
Announcements
employees_US
remotes
ceo-report
all-engineering
not-sales
Global-NotSales
While @sysdmin1138 answer was correct it's worth mentioning that changing the scope is not the only reason why things are missing from the view. There are things that invisible by default.
Some objects such as physicalDeliveryOfficeName are hidden from view so you can't delegate them easily. A lot of other attributes are also hidden, but physicalDeliveryOfficeName is very specific and can be good example on how things works for Delegation.
The Per-Property Permissions tab for a user object that you view through Active Directory Users and Computers may not display every property of the user object. This is because the user interface for access control filters out object and property types to make the list easier to manage. While the properties of an object are defined in the schema, the list of filtered properties that are displayed is stored in the Dssec.dat file that is located in the %systemroot%\System32 folder on all domain controllers. You can edit the entries for an object in the file to display the filtered properties through the user interface.
A filtered property looks like this in the Dssec.dat file:
[User]
propertyname=7
To display the read and write permissions for a property of an object, you can edit the filter value to display one or both of the permissions. To display both the read and write permissions for a property, change the value to zero (0):
[User]
propertyname=0
To display only the write permission for a property, change the value to 1:
[User]
propertyname=1
To display only the read permissions for a property, change the value to 2:
[User]
propertyname=2
After you edit the Dssec.dat file, you must quit and restart Active Directory Users and Computers to see the properties that are no longer filtered. The file is also machine specific so changing it on one machine doesn’t update all others. It’s up to you whether you want it visible everywhere or not.
Full story about physicalDeliveryOfficeName and how to change it with screenshots can be read at my blog.
PS1. Since physicalDeliveryOfficeName is special case, after modifying this setting look for Read/Write Office Location. Unfortunately the name physicalDeliveryOfficeName never shows up.
PS2. Unless those settings are uncovered by modifying dssec.dat you won't be able to see them. Since this file is per computer it's entirely possible it's visible on some computers and not visible on others depending whether someone made the change earlier or not. This could explain why you could see it before and not later on.
PS3. Sorry for resurrection but just spent few hours trying to find the cause so thought I would share it for future reference.
Best Answer
This is hard. Very hard. You could do something like write a script to iterate over a filesystem and evaluate permissions but it would be somewhat cumbersome - you'd have to run it on each server and it may take a long time depending on how many files are on the server.
Look at the group members. Are they primarily a group of people from one department? That may point you in the right direction, and if you have a cryptic group name (e.g
HSGD Super Users
whereHSGD
is a departmental LOB app) you could ask if it means anything to them.Check the Notes field of the group to see if it contains anything helpful (hint: that field is VERY useful and I would recommend you use it going forward).
For this to be a thorough check, you're going to have to check other things than filesystem permissions though. Anything that is capable of using Windows permissions will need to be checked, and unfortunately I can guarantee you will forget something (everyone always forgets hardware appliances). Off the top of my head though:
I should also call out something very important, which is you shouldn't forget a users indirect group memberships from nested groups. Believe me, that's a real kicker - I've done it before.
Finally, I was being somewhat flippant when I said this in a comment to your question, so make what you will of this bit of advice. If you've got a group you want to delete, make a note of the group members and simply take them all out of the group. It's important you don't immediately delete the group because if this group has permissions granted all over the place and you cause serious breakage you will want to quickly fix it by adding everyone back in. If you delete the group, you first have to figure out where the permissions are granted (which you don't know) and apply the exact same permissions as before, which may not be default permissions (again, which you don't know).